tag:www.refactormycode.com,2007:users665NickMon Jun 23 00:35:49 -0700 2008tag:www.refactormycode.com,2007:Refactor115252008-06-23T00:35:49-07:00[C#] On Sanitize HTML<p>@Chris: it is actually simpler than you make it out to be, you don't actually create an expression for each tag you want to check, you just create one expression that will strip out everything you need. And then you reconstruct the tag using a white list of attributes. I have posted the regex below. I don't want to spam the board with my code but you can find the original here <a href="http://refactormycode.com/codes/333-sanitize-html#refactor_11281" target="_blank">http://refactormycode.com/codes/333-sanitize-html#refactor_11281</a> that will do all this for you. Very simple and easy to implement code.</p>
<p>Also @Chris you mentioned some very trivial things such as case and quote use, both can easily be corrected when you can pull out the attributes and values from tags. I am reconstructing the tag with out the blacklisted attributes so I can just as easily call ToLower on the attribute and wrap it with quotes.</p>
<p>Remember you are not trying to make the system a burden the users, if they enter in a link tag with some attributes that don't fall in white list you shouldn't just ignore the whole link, because 99 times out of 100 they didn't really care about the extra attribute but they most definitely cared about the link. Same can be argued for <blockquote /> where somebody might use the cite attribute. </p>
<p>Remember the purpose of this is to sanitize the HTML, not provide an iron fist. An Iron fist will just confuse the user as to why their link was not entered in to the system.</p>
<pre>@"(?'tag_start'</?)(?'tag'\w+)((\s+(?'attr'(?'attr_name'\w+)(\s*=\s*(?:"".*?""|'.*?'|[^'"">\s]+)))?)+\s*|\s*)(?'tag_end'/?>)"</pre>Nicknick@coderjournal.comtag:www.refactormycode.com,2007:Refactor114622008-06-22T12:10:04-07:00[C#] On Sanitize HTML<p>Hi Jeff, point well taken from your last comment. I had forgotten that you were using WMD, I am use to working with the WYSIWYG editors on the web. While looking over your code I did actually have a bug in some of your assumptions. You assume that anchors are going to be written like <a href="..." title="..." />, but what if somebody does <a title="..." href="..." /> or <a href="title" rel="friend" />? It doesn't look like your regex can handle that. Same with the <img /> tag. Except this one has 25 different ways it can be written with just the attributes you allow, and hundreds with all the valid attributes. </p>
<p>I know I have said this before, it was probably missed with all the flurry of comments, but you might want to consider also whitelisting the attributes, so they can appear in any order.</p>
<pre></pre>Nicknick@coderjournal.comtag:www.refactormycode.com,2007:Refactor113732008-06-21T13:59:48-07:00[C#] On Sanitize HTML<p>Jeff I think we are forgetting about something. You have all of these tags which are valid, but what if somebody copies and pastes from the web? Where <h /> tags and <p /> tags and probably everything else contain a class, style, or etc attribute. You need to strip out the attributes that you don't care about, while keeping the general tag. I provided a solution to this a couple items back.</p>
<pre></pre>Nicknick@coderjournal.comtag:www.refactormycode.com,2007:Refactor112862008-06-20T15:16:52-07:00[C#] On Sanitize HTML<p>I just updated it to use StringBuilder. What I like about this method, that I am using, is that I can add special processing in the code, such as adding a rel="nofollow" when an "a" tag is found. I am using this with out much trouble on <a href="http://www.ideapipe.com" target="_blank">http://www.ideapipe.com</a>. It is very fast, because for the most part my WYSIWYG editor is limiting most of the HTML anyways. Personally I like the whitelist everything even the attributes approach, because browsers allow you to add onclick, onfocus, onwhatever to every tag, and they will all execute JavaScript. </p>
<pre>return HtmlTagExpression.Replace(text, new MatchEvaluator((Match m) => {
if (!ValidHtmlTags.ContainsKey(m.Groups["tag"].Value))
return String.Empty;
StringBuilder generatedTag = new StringBuilder(m.Length);
System.Text.RegularExpressions.Group tagStart = m.Groups["tag_start"];
System.Text.RegularExpressions.Group tagEnd = m.Groups["tag_end"];
System.Text.RegularExpressions.Group tag = m.Groups["tag"];
System.Text.RegularExpressions.Group tagAttributes = m.Groups["attr"];
generatedTag.Append(tagStart.Success ? tagStart.Value : "<");
generatedTag.Append(tag.Value);
foreach (Capture attr in tagAttributes.Captures)
{
int indexOfEquals = attr.Value.IndexOf('=');
// don't proceed any futurer if there is no equal sign or just an equal sign
if (indexOfEquals < 1)
continue;
string attrName = attr.Value.Substring(0, indexOfEquals);
// check to see if the attribute name is allowed and write attribute if it is
if (ValidHtmlTags[tag.Value].Contains(attrName))
{
generatedTag.Append(' ');
generatedTag.Append(attr.Value);
}
}
// add nofollow to all hyperlinks
if (tagStart.Success && tagStart.Value == "<" && tag.Value.Equals("a", StringComparison.OrdinalIgnoreCase))
generatedTag.Append(" rel=\"nofollow\"");
generatedTag.Append(tagEnd.Success ? tagEnd.Value : ">");
return generatedTag.ToString();
}));</pre>Nicknick@coderjournal.com